Web server/services hardening using SELinux

Instructor

Pavol Luptak

Duration

1 day

Summary

Security-Enhanced Linux (SELinux) is a FLASK implementation integrated in the Linux kernel with a number of utilities designed to provide mandatory access controls (MAC) through the use of Linux Security Modules (LSM) in the Linux kernel. SELinux generally supports many kinds of mandatory access control policies, including those based on the concepts of type enforcement, role-based access control, and multi-level security.

A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. This reduces or eliminates the ability of these programs and daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example). This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).

This training provides basic concepts of SELinux, its differences to classical UNIX/Linux systems, describe security advantages of mandatory access control policies and teach how to effectively and rapidly configure a fully functional LAMP environment on SELinux system.

Audience

Security consultants, system administators, programmers focused on system security

Bring your own laptop. Each student will have own SELinux virtual machine for his experiments.

Secure Programming with Java

Instructor

Lucas C. Ferreira

Duration

1 Day

Summary

This training class will present best practices of secure programming in the Java language. It includes Java specific practices (i.e. how to avoid problems that arise from the compilation of Java source code to the bytecode language used by the JVM) and practices that may arise in other programming languages (with examples in Java). Some tools that may be used to verify the security of Java code and systems will be shown.

The topics include a quick overview of the OWASP Top 10, in order to contextualize the practices presented, and several best practices aimed at the different software layers. At the presentation layer, we focus on input validation, access control issues and dealing with exceptions. At the business objects layer, the practices deal with cloning and serialization issues. Practices to prevent command injection are presented at the persistence layer. Practices that should be used throughout all the software are also presented, including input data validation, class and method visibility, using and storing secrets, dealing with inner classes, overflows and boxing, and object initialization.

Audience

Java web application developers. This training requires basic understanding of web applications and an intermediate level of proficiency in the Java language and Object Oriented concepts. People with interest in other OO languages may also benefit from this training, but specific techniques, examples and tools used are targeted to Java.

Table of Contents

OWASP Top 10 - quick overview

Secure Programming Best Practices

Presentation layer

Preventing cross-site scripting

Access control

Request validation

Error treatment

Business object layer

Cloning and serialization issues

Persistence layer

Command injection issues

Database access users and permissions

file manipulation

Infra-structure layer

J2EE container-related best practices

Native method issues

SSL and encryption

Practices for all software layers

Data validation

Garbage collection issues

Classes and method scoping

Use of secrets

Inner class issues

Over/underflow and boxing issues

Tools

Code review tool

Data flow tool

Pen-testing tool

Course Specifics

Due to the lack of time, we will only show tool usage (no practical exercises with the audience).

OWASP Top 10 - What Developers Should Know on Web Application Security

Instructor

Sebastien Deleersnyder and Martin Knobloch

Duration

4 h
To be scheduled on Tuesday.

Summary

Application security is an essential component of any successful project; this includes web applications, open source PHP applications, web services and proprietary business web sites.
Web application security education and awareness is needed throughout the entire development and deployment organization. Each area and level of development or deployment organizations have specific needs and requirements regarding web application security education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.

The OWASP Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.
This Education Track provides in a 4 hour session covering what developers should know on web application security. It starts with an explanation of web application security and why it is important. Then the OWASP Top 10 is used to explain the nastiest vulnerabilities and how these can be prevented or re mediated. A secure coding initiative must deal with all stages of a program’s life cycle. Secure web applications are only possible when a secure SDLC is used. The SDLC is explained from the standpoint of people, processes and tools. Particularly for developers good secure development practices are covered in a separate topic. Finally the track finishes with an exhaustive list of web application security resources for web application developers.

Audience

Web application developers who are unaware there are security issues with contemporary web applications. No prior knowledge of web application security is assumed nor necessary. This track is independent of the coding language or web frameworks used; like PHP, JSF, Java EE or .NET. We must realize that web application developers are only one link - albeit an important one - of the chain that represents the security of a web application. This track aims to make that link as secure as possible, given the constraint of 4 hours. Another important aspect is that web application security should be tailored to the risk profile of an organization and the specific development environment of that organization.

Table of Contents

The challenge is to cover web application security in 4 hours to a web application developer. This is presented in such a way that the developers will be able to recognize and correct web application vulnerabilities in their projects.

This part is the introduction of the track. It identifies the current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained.

The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities.

There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes: development as well as deployment and Technologies.

This 4 hour education track in only the beginning of your journey. Web application security is a moving target. New vulnerabilities and threats are discovered regularly. Web application security controls are becoming mature. The following resources should provide you with enough pointers to serve both as reference and for further research.

Hard Copy

Web Sites

Mailing lists

Blogs

Roundup (10 min)

Course Specifics

No specific prerequisites.

Linux Software Exploitation

Instructor

Nam Nguyen

Duration

2 days

Summary

This course is a primer into software exploitation on the Linux environment. The course assumes only basic understanding of the Linux commands, and C programming with the standard library. It explains the computer architecture, assembly language then moves on to three basic classes of security bug: buffer overflow, format string, and race condition and methods to take advantage of them. Throughout the course, various examples are introduced with increasing difficulty so that participants will naturally realize the art of software exploitation for themselves.

This course does not discuss about shell coding. Except on one example where provided shell code is used as an illustration, all other challenges require only good analysis and calculation.

The course is conducted as a workshop with heavy interaction between participants and instructor. There will not be any presentation slide. Participants are to take note during the course.

Audience

Software developers, system administrators, security engineers with some experience in Linux and C programming.

Table of Contents

Computer architecture

Assembly language

Buffer overflow

Format string

Race condition

Techniques

Overwrite critical variable

Overwrite return address

Return to .text

Return to libc

Overwrite .dtors

Overwrite .got

Overwrite .bss, functors

By pass Advanced Space Layout Randomization

Tools of the trade: IDA, GDB, and Python

Course Specifics

Bring your own laptop with VMWare Player or equivalent. An VM image will be provided.

Classic ASP Security using OWASP tools

Instructor

Juan Carlos Calderon

Duration

1 day

Summary

Classic ASP 2.0 and 3.0 applications are still largely used as this technology is more than 10 years old and was largely used. there are thousands of sites on the wild that need guidance on the security arena. This is where OWASP can come up and provide help for “making the Web a better place”.

Audience

People involved in development/maintenance of Classic ASP applications at all levels, including developers, Application Architects, testers, etc.

None. Keep posted for changes on the table of contents and course specifics.

Web Application Assessments

Instructor

Vicente Aguilera Diaz

Duration

4h

Summary

As in the physical world, the "professionals" attackers spend most of their time to analysing its objective and try to gather as much information as possible about it. The more information becomes available and is more detailed and accurate, the attack is more likely to succeed.

The aim of this course is to identify patterns and tools to perform this analysis (step prior to the attack), and is supplemented by a case study on a practical application.

Audience

Software developers, security consultants, system administrators and people loving security.

Hacking Owasp Orizon Project v1.0

In the course it will be presented Owasp Orizon v1.0 framework. The major APIs will be fully explained and it will be built a simple scanning tool using the Orizon framework.

The course goal is to let people fully understand Orizon internals and let people understand how to use the framework in a real world.

Audience

Security specialist, code reviewers and curious developers

Table of Contents

Owasp Orizon Internals

Translation engine

Owasp Orizon XML project

XML used in writing security checks

XML used in translation phase

Static analysis engine

Crawling engine

Reporting engine

Create a simple tool using Orizon

Course Specifics

People have to bring their own laptop with latest Owasp Orizon version, J2SE 1.6 or later and a Java IDE (e.g. eclipse) is also feasible.

Securing WebGoat with ModSecurity

Instructor

Stephen Craig Evans

Duration

4h

Summary

ModSecurity, normally a tool of the network security group, has capabilities that can allow a software security specialist with programming skills to mitigate business logic flaws and other vulnerabilities that are out-of-reach of basic blacklists.

How to Win AppSec Hacking Contests and Deploy Better Web Applications

This class will demonstrate how an attacker approaches potentially
vulnerable web applications, taking advantage of both poor server
configuration and poor application implementation to discover and exploit
vulnerabilities of several types.

The right way and the wrong way to escape input to prevent SQL injection

The right way and the wrong way to encode output to prevent XSS

More bad practices to avoid

More good practices to maintain

Course Specifics

Bring your own laptop to participate in attacks on sample
web applications. Firefox is the preferred browser for exploiting web
applications. Automated scanning tools are out of scope for this class.

Uncovering WebScarab's Secret Treasures

Instructor

Rogan Dawes

Duration

1 day.

Summary

OWASP WebScarab has a lot of hidden features that probably no one but the author really knows about. This in depth hands on session will show delegates how to access these features, and how to use them to their full potential.

Audience

Application reviewers, developers

Table of Contents

Using the spider

Manual Request Transforms

What is the XSS/CRLF plugin, and how does it work?

Using the Fuzzer

Comparing Responses

Searching WebScarab history

Exploring the Beanshell

Writing Proxy Intercept scripts

Writing Script Manager Scripts

Writing other scripts

Course Specifics

Bring your own laptop

Advanced Web Application Security Testing

Instructor

Michael Coates, Aspect Security

Duration

2 days.

Summary

While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner.

Course Specifics

Bring your own Windows based laptop

Building Secure Web 2.0 Applications

Instructor

Arshan Dabirsiaghi, Aspect Security

Duration

1 day.

Summary

Web 2.0 applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. this one day training addresses the special issues that arise in this type of application development.

Course Specifics

Bring your own Windows based laptop

Building Secure Web Services

Instructor

Dave Wichers, Aspect Security

Duration

2 days.

Summary

The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. this session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identify servers and related software. Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system.

This course will teach you about OWASP's new Enterprise Security API (ESAPI), what it is composed of, and how to use it to improve the security and reduce the cost of developing those applications. This class covers each interface within the API, how it is intended to be used, and what the benefits are of using this interface, over other techniques for addressing the same security concerns.

The course also discusses how to bring ESAPI into your organization and how to tailor it for your organization specific needs and application infrastructure.

Course Specifics

Bring your own Windows based laptop

Ajax Security

Instructor

Brad Causey

Duration

1 day

Summary

This course will provide an introductory to AJAX, its inherent security issues, how to detect them, and how to resolve them.

Audience

Web Application Security Professionals

Table of Contents

Introduction to AJAX

Security Issues with architecture

Toolkits

Toolkit Security Concerns

Bridges and Issues

Attacking AJAX

Defending AJAX

Securing the Code

Best Practices

Other Issues and Concerns

Q and A

Course Specifics

Please bring your own laptop with your choice of web proxy and browser installed if you wish to participate. Participation is optional.

Flash Player Security

Instructor

Peleus Uhley

Duration

1/2 day

Summary

This course will provide an overview of the Flash Player security model and common architectures for Flash deployment. The course is targeted at people who need to understand the fundamentals of Flash Player security and how it will affect their website such as CSOs, web designers and web architects. The goal of the course is to provide the student with the enough information to architect a secure Flash deployment. The follow-on Auditing Flash Applications course will continue to build on this knowledge on an API by API level.

Audience

Web Application Security Professionals and those who make decisions or recommendations about Flash deployments.

Course Specifics

Please bring your own laptop with your choice of web browser installed if you wish to participate. Participation is optional.

Auditing Flash Applications

Instructor

Peleus Uhley

Duration

1/2 day

Summary

This course is a follow on to the Flash Player Security course for those who want to do a deep dive into the security of Flash applications. This course is targeted at Flash authors and web-site auditors who need to validate Flash code and provide meaningful recommendations and best practices for improving Flash deployments. The goal of the course is to provide the student with the tools and information to audit a Flash website and provide quality feedback on how to remediate any issues.

Audience

Flash Developers, Web Application Penetration Testers

Course Specifics

Please bring your own laptop with your choice of web browser installed if you wish to participate. Participation is optional.